Publish Refreezer on F-droid.org

[GithubUser452]

F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device. https://f-droid.org/en/docs/

[PoorPocketsMcNewHold]

Not sure if it would work under the :

Trademarks must not be infringed, and any other legal requirements must be adhered to.

Due to the finite case of ReFreezer legality using the Deezer service (Even if it's basically just a client and require a Deezer account). The rest seems fine albeit, with marked NonFree bits.

[alessioC42]

@IzzySoft, maybe this can be added to your repo?

[IzzySoft]

Maybe, but we'd need some clarification first concerning what my scanner reports on the APK:

Dangerous flags:
----------------
* usesCleartextTraffic

Permissions:
------------
* android.permission.INTERNET
* android.permission.WAKE_LOCK
* android.permission.FOREGROUND_SERVICE
* android.permission.FOREGROUND_SERVICE_MEDIA_PLAYBACK
* android.permission.MODIFY_AUDIO_SETTINGS
* android.permission.RECORD_AUDIO
* android.permission.REQUEST_INSTALL_PACKAGES
* android.permission.WRITE_EXTERNAL_STORAGE
* android.permission.READ_EXTERNAL_STORAGE
* android.permission.MANAGE_EXTERNAL_STORAGE
* android.permission.READ_MEDIA_AUDIO
* android.permission.ACCESS_NETWORK_STATE
* android.permission.VIBRATE
* android.permission.POST_NOTIFICATIONS
* android.permission.READ_MEDIA_IMAGES
* android.permission.READ_MEDIA_VIDEO
* r.r.refreezer.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Questionable points here are:

• usesCleartextTraffic: which unencrypted connections are used and where to?
• android.permission.RECORD_AUDIO: why? What needs to be recorded?
• android.permission.REQUEST_INSTALL_PACKAGES: what apps does a streaming app need to install?
• DEPENDENCY_INFO_BLOCK should be removed (it's a blob nobody but Google can read, so it's not only proprietary but might even be a security risk – details on that once the rest is clarified).

And NonFreeNet would definitely apply of course.

[DJDoubleD]

Questionable points here are:

To be clear, I'm not personally trying to get the app on F-Droid because I'm not sure all requirements can be satisfied given the nature of the app and the clear disclaimer in the ReadMe. That being said, I would like to remove/solve as many "questionable" items I can (when I can).

• usesCleartextTraffic: which unencrypted connections are used and where to?

I suppose this is because of the internal streaming server that is created with NanoHTTPD, which fetches the encrypted track streams from the Deezer servers and serves the decrypted stream (and some info about it) for playback to the just_audio player using http:\\127.0.0.1:36958. Error messages are being returned by the internal streaming server in clear text. e.g. return newFixedLengthResponse(Response.Status.METHOD_NOT_ALLOWED, MIME_PLAINTEXT, "Only GET request supported!");. Would using HTTPS for the internal streamserver solve this? (have not yet looked into this, I guess I would need to gen a keystore and include the .jks in the project)

• android.permission.RECORD_AUDIO: why? What needs to be recorded?

It was needed when trying to use the just_audio's visualizer branch, which requires this permission to analyse the audio, even if no audio is being recorded. At this point, I can probably comment that permission out until the just_audio visualizer feature gets released in their main branch or I give it another shot with the visualizer branch.

• android.permission.REQUEST_INSTALL_PACKAGES: what apps does a streaming app need to install?

It uses the GitHub API to check for newer releases, displays the release notes and offers a download button to the user to download and install the latest apk for the detected architecture from within the app (see release notes of v0.7.13. So it installs itself as it's not on any app store like F-Droid...

• DEPENDENCY_INFO_BLOCK should be removed (it's a blob nobody but Google can read, so it's not only proprietary but might even be a security risk – details on that once the rest is clarified).

No idea about this one, would need to do more research but given it's a flutter app, there is probably some dependency that uses this. Will have to figure out a way to detect which one and if it can be modified/replaced...

[IzzySoft]

given the nature of the app and the clear disclaimer in the ReadMe.

Going by that, a lot of apps would not be there. You make clear where the trademarks belong and what is accessed – so all I see from that is the app needs to be marked NonFreeNet as it entirely depends on a non-free (aka "proprietary") network service: Deezer. Apart from that I don't see what should be wrong with it. But let's also check the other points:

Would using HTTPS for the internal streamserver solve this?

Probably – but how will you get a proper certificate for it if you know neither the hostname nor its public IP? And in this case it's not strictly necessary: I don't know of any app using a local web server and NOT having cleartext traffic enabled. You can "pin" it to the local network using a network security policy (see: Network security configuration). That would probably look like this:

<?xml version="1.0" encoding="utf-8"?>
 <network-security-config>
    <domain-config cleartextTrafficPermitted="true">
      <domain includeSubdomains="true">127.0.0.1</domain>
      <domain includeSubdomains="true">10.0.0.1</domain>
      <domain includeSubdomains="true">localhost</domain>
    </domain-config>
</network-security-config>

Not sure if there's something like "localnet" – and the local network could also be 192.168.*.*. Not being an Android dev myself, I cannot give precise advice here, just clues, sorry.

I can probably comment that permission out until the just_audio visualizer feature gets released in their main branch or I give it another shot with the visualizer branch.

Thanks! If it's not used, please comment it out. If it will be used, we can add it to the app's "green list" here with the proper explanation.

It uses the GitHub API to check for newer releases

Well, now THAT is a problem, as it goes against the inclusion criteria: downloading and installing from Github would circumvent the additional security checks performed at IzzyOnDroid (same goes for F-Droid, even if they rarely check for that). Possible solutions are:

• using build flavors and having one that comes without the check
• making the check opt-in (so: disabled by default) with a clear explanation of the implications at toggling it on, so it can be used based on informed explicit consent. That explanation should include: where the check will be happen (Github), where the APK will be downloaded from (Github), and that using this would circumvent additional secutiry measures taken by repositories like IzzyOnDroid and F-Droid.

As I see an agreement would be possible, let me outline DEPENDENCY_INFO_BLOCK as well. This can be avoided by a minimal addition to your build.gradle (with Flutter I guess it's android/app/build.gradle):

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.